OpenLDAP can function as a policy store. A single directory server instance can function as a:
Using a single directory server simplifies administration tasks. The following sections provide instruction on how to configure a single directory server instance to store policy data and encryption keys. If your implementation requires, you can configure a separate key store.
Configuring an LDAP directory server as a policy store or upgrading an existing policy store requires specific directory server information. Gather the following information before beginning. You can use the Policy Store Worksheets to record your values.
Note: Policy and data store worksheets are provided to help you gather and record information before configuring or upgrading a CA SiteMinder® data store. You can print the applicable worksheet and can use it to record required information before beginning.
Specifies the fully-qualified host name or the IP Address of the directory server.
(Optional) Specifies a non-standard port.
Default values: 636 (SSL) and 389 (non-SSL)
Specifies the LDAP user name of a user who has privileges to create, read, modify, and delete objects in the LDAP tree underneath the policy store root object.
Specifies the password for the Administrative DN.
Specifies the distinguished name of the node in the LDAP tree where policy store objects are to be defined.
Specifies the pathname of the directory where the SSL client certificate database file resides.
Limit: SSL only
Complete the following procedures to configure an OpenLDAP directory server as a policy store:
An OpenLDAP directory server requires additional configuration before you can use it as a policy store. The following process lists the configuration steps:
Specify the SiteMinder Schema Files
Specifying the schema files in the include section of the slapd configuration file (slapd.conf) configures the slapd process (the LDAP Directory Server daemon) to read the additional configuration information. The included files must follow the correct slapd configuration file format.
Follow these steps:
Specifies the Policy Server installation path.
.... ..... include /usr/local/etc/openldap/schema/openldap_attribute.schema include /usr/local/etc/openldap/schema/openldap_object.schema include /usr/local/etc/openldap/schema/openldap_attribute_XPS.schema include /usr/local/etc/openldap/schema/openldap_object_XPS.schema
Note: This procedure assumes that the OpenLDAP server is located in /usr/local/etc/openldap and that the schema files are located in the schema subdirectory.
The CA SiteMinder® schema files are specified.
Specify Policy Store Indexing
Specify indexing in the slapd.conf file to use OpenLDAP as a policy store.
Follow these steps:
# Indices to maintain index objectClass eq
index smAdminOID4 pres,eq index smAuthDirOID4 pres,eq index smAzDirOID4 pres,eq index smcertmapOID4 pres,eq index smIsRadius4 pres,eq index smIsAffiliate4 pres,eq index smParentRealmOID4 pres,eq index smPasswordPolicyOID4 pres,eq index smAgentGroupOID4 pres,eq index smKeyManagementOID4 pres,eq index smAgentOID4 pres,eq index smAgentKeyOID4 pres,eq index smRootConfigOID4 pres,eq index smAGAgents4 pres,eq index smDomainAdminOIDs4 pres,eq index smDomainOID4 pres,eq index smvariableoid5 pres,eq index smNestedVariableOIDs5 pres,eq index smvariabletypeoid5 pres,eq index smActiveExprOID5 pres,eq index smDomainUDs4 pres,eq index smVariableOIDs5 pres,eq index smusractiveexproid5 pres,eq index smPropertyOID5 pres,eq index smPropertySectionOID5 pres,eq index smPropertyCollectionOID5 pres,eq index smFilterClass4 pres,eq index smTaggedStringOID5 pres,eq index smNoMatch5 pres,eq index smTrustedHostOID5 pres,eq index smIs4xTrustedHost5 pres,eq index smDomainMode5 pres,eq # index smImsEnvironmentOIDs5 pres,eq index smSecretRolloverEnabled6 pres,eq index smSecretGenTime6 pres,eq index smSecretUsedTime6 pres,eq index smSharedSecretPolicyOID6 pres,eq index smFilterPath4 pres,eq index smPolicyLinkOID4 pres,eq index smIPAddress4 pres,eq index smRealmOID4 pres,eq index smSelfRegOID4 pres,eq index smAzUserDirOID4 pres,eq index smResourceType4 pres,eq index smResponseAttrOID4 pres,eq index smResponseGroupOID4 pres,eq index smResponseOID4 pres,eq index smRGResponses4 pres,eq index smRGRules4 pres,eq index smRuleGroupOID4 pres,eq index smRuleOID4 pres,eq index smSchemeOID4 pres,eq index smisTemplate4 pres,eq index smisUsedbyAdmin4 pres,eq index smSchemeType4 pres,eq index smUserDirectoryOID4 pres,eq index smODBCQueryOID4 pres,eq index smUserPolicyOID4 pres,eq index smAgentTypeAttrOID4 pres,eq index smAgentTypeOID4 pres,eq index smAgentTyperfcid4 pres,eq index smAgentTypeType4 pres,eq index smAgentCommandOID4 pres,eq index smTimeStamp4 pres,eq index smServerCommandOID4 pres,eq index smAuthAzMapOID4 pres,eq index xpsParameter pres,eq index xpsValue pres,eq index xpsNumber pres,eq index xpsCategory pres,eq index xpsGUID pres,eq index xpsSortKey pres,eq index xpsIndexedObject pres,eq
slapindex -f slapd.conf
The policy store indexing for OpenLDAP is specified.
Enable User Authentication
Enabling user authentication ensures that you can protect resources with a supported authentication scheme.
To enable user authentication, add the following to the slapd configuration file:
access to attrs=userpassword by self write by anonymous auth by * none
Specify Database Directives
The slapd configuration file requires values for additional database directives.
To specify the directives, edit the following:
Specify any supported backend type.
Example: bdb
Specify the database suffix.
Example: dc=example,dc=com
Specify the DN of root.
Example: cn=Manager,dc=example,dc=com
Specify the password to root.
Specify the path of the database directory.
Example: /usr/local/var/openldap-data
Note: The database directory must exist prior to running slapd and should only be accessible to the slapd process.
Support Client-Side Sorting
OpenLDAP is the only supported LDAP directory that does not support server-side sorting. Instead, OpenLDAP requires that all sorting be performed on the client side. To accomplish this, all XPS objects are retrieved at start-up using server-side paging.
To support client-side sorting, the OpenLDAP directory administrator must configure the following settings in the slapd.conf file:
This setting allows the XPS client to read the OpenLDAP directory's type and capabilities.
This setting accommodates XPS objects which are retrieved in increments of 500 by server-side paging.
This setting allows smconsole to test the LDAP connection using a simple V2 bind.
To support client-side sorting
access to * by users read by anonymous read access to dn.base=ACL by users read
Specifies an access control list or list of permissions.
Note: For more information on how to specify the ACL, see http://www.openldap.org/doc/admin24/access-control.html.
sizelimit 500
Note: The default sizelimit value is 500. For more information, see http://www.openldap.org/doc/admin24/slapdconfig.html.
allow bind_v2
The slapd.conf file is configured to support client-side sorting.
Test the Configuration File
Testing the configuration file ensures that it is correctly formatted.
To test the configuration file
./slapd
Note: Unless you specified a debugging level, including level 0, slapd automatically forks, detaches itself from its controlling terminal, and runs in the background.
./slapd -Tt
The slapd configuration file is tested.
Restart the OpenLDAP Server
Restarting the OpenLDAP directory server loads the SiteMinder schema. The Policy Server requires that the SiteMinder schema is loaded before you can use the directory server as a policy store.
To restart the directory server
kill -INT 'cat path_of_var/run_directory/slapd.pid`
Specifies the path of the database directory.
Example: kill -INT `cat /usr/local/var/run/slapd.pid`
./slapd
The following process lists the steps for creating the directory server database for the policy store:
Create the Base Tree Structure
You can create a base tree structure to store policy store objects.
Specify the following entry under the root DN:
ou=Netegrity,ou=SiteMinder,ou=PolicySvr4,ou=XPS
The base tree structure is created.
Add Entries
Add entries to the directory server so that CA SiteMinder® has the necessary organization and organizational role information.
To add database entries
Example: The following example contains an organization entry and an organizational role entry for the entries.ldif.
# CA, example.com dn: ou=Netegrity,dc= example,dc=com ou: CA objectClass: organizationalUnit objectClass: top
# SiteMinder, CA, example.com dn: ou=SiteMinder,ou=CA,dc= example,dc=com ou: SiteMinder objectClass: organizationalUnit objectClass: top
# PolicySvr4, SiteMinder, CA, example.com dn: ou=PolicySvr4,ou=SiteMinder,ou=CA,dc= example,dc=com ou: PolicySvr4 objectClass: organizationalUnit objectClass: top
# XPS, policysvr4, siteminder, ca, example.com dn: ou=XPS,ou=policysvr4,ou=siteminder,ou=ca,dc= example,dc=com ou: XPS objectClass: organizationalUnit objectClass: top
ldapadd -f <file_name.ldif> -D "cn=Manager,dc=example,dc=com"
-w<password>
You point the Policy Server to the policy store so the Policy Server can access the policy store.
Follow these steps:
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
Policy Store
LDAP
Note: You can click Help for a description of fields, controls, and their respective requirements.
Key Store
LDAP
Use Policy Store database
The default CA SiteMinder® administrator account is named:
siteminder
The account has maximum permissions.
We recommend that you do not use the default superuser for day–to–day operations. Use the default superuser to:
Follow these steps:
Specifies the Policy Server installation path.
Note: The utility is at the top level of the Policy Server installation kit.
smreg -su password
Specifies the password for the default CA SiteMinder® administrator.
Limits:
Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.
The password for the default CA SiteMinder® administrator account is set.
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
Specifies the Policy Server installation path.
XPSDDInstall SmMaster.xdd
Imports the required data definitions.
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.
Consider the following items:
Specifies the Policy Server installation path.
Follow these steps:
XPSImport smpolicy.xml -npass
XPSImport smpolicy-secure.xml -npass
Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects Consideration.
Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA SiteMinder®. If you intend on using the latter functionality, contact your CA account representative for licensing information.
Enable the advanced authentication server as part of configuring your Policy Server.
Follow these steps:
The master key screen appears.
Note: If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.
The advanced authentication server is enabled.
You use the default CA SiteMinder® super user account (siteminder) to log into the Administrative UI for the first–time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.
You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.
Consider the following:
To prepare for the Administrative UI registration
XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
Specifies the password for the default CA SiteMinder® super user account (siteminder).
Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
Specifies that the Administrative UI is being registered with a Policy Server for the first–time.
(Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.
Unit of measurement: minutes
Default: 240 (4 hours)
Minimum Limit: 15
Maximum Limit: 1440 (24 hours)
(Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging into the Administrative UI for the first–time
Default: 1
Maximum Limit: 5
(Optional) Inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies where the registration log file must be exported.
Default: siteminder_home\log
siteminder_home
Specifies the Policy Server installation path.
(Optional) Sends exceptions to the specified path.
Default: stderr
(Optional) Sets the verbosity level to TRACE.
(Optional) Sets the verbosity level to INFO.
(Optional) Sets the verbosity level to WARNING.
(Optional) Sets the verbosity level to ERROR.
(Optional) Sets the verbosity level to FATAL.
XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log into the Administrative UI for the first–time.
Copyright © 2013 CA.
All rights reserved.
|
|